Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 18:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34f400840f86be8fb8c2f1ac013a5270N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
34f400840f86be8fb8c2f1ac013a5270N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
34f400840f86be8fb8c2f1ac013a5270N.exe
-
Size
96KB
-
MD5
34f400840f86be8fb8c2f1ac013a5270
-
SHA1
024494c9f372f81474b94ac9bda4e004baaa3eba
-
SHA256
d2587d2185c162f142de29f918752bed78ccdd8f501c0ba5254e1579eb18b199
-
SHA512
f1f3b1e6f781ba83d4e4e3a210ad50db9136bfd6103d035ac3ddad8a962c0ea1ae713d69f5aa18f0f0b1ca449bb0fb0168472620e37a42087e10428a49217765
-
SSDEEP
1536:jFKp+vdiieXDZ73WUkc+WVU8Sz2wGnF6VQR6/wePVFkiaAjWbjtKBvU:UUvdiivlwzcRVkiVwtCU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odlojanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akmjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkidlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkbgjcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oegbheiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jchhkjhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocalkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnamh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimnfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojigbhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjnmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abphal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 34f400840f86be8fb8c2f1ac013a5270N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlfojn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbknddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhaikn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapebchh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpjakhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpekon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngmgjeb.exe -
Executes dropped EXE 64 IoCs
pid Process 2804 Ginnnooi.exe 2868 Hpgfki32.exe 2620 Hojgfemq.exe 2592 Hipkdnmf.exe 2160 Hakphqja.exe 576 Hkcdafqb.exe 964 Hanlnp32.exe 2280 Heihnoph.exe 2908 Hkfagfop.exe 1716 Hhjapjmi.exe 772 Hkhnle32.exe 672 Hdqbekcm.exe 1800 Igonafba.exe 2268 Icfofg32.exe 2336 Iipgcaob.exe 2164 Iompkh32.exe 2444 Igchlf32.exe 1864 Ipllekdl.exe 1360 Iamimc32.exe 1536 Ijdqna32.exe 700 Ihgainbg.exe 3056 Iapebchh.exe 2092 Idnaoohk.exe 892 Ileiplhn.exe 1736 Jocflgga.exe 2612 Jabbhcfe.exe 2716 Jgojpjem.exe 3028 Jnicmdli.exe 800 Jqgoiokm.exe 1492 Jkmcfhkc.exe 2284 Jqilooij.exe 1656 Jchhkjhn.exe 896 Jgcdki32.exe 2900 Jqlhdo32.exe 2136 Jcjdpj32.exe 1060 Jjdmmdnh.exe 2772 Jmbiipml.exe 2952 Jghmfhmb.exe 1484 Jfknbe32.exe 852 Kiijnq32.exe 1100 Kmefooki.exe 2440 Kocbkk32.exe 1828 Kconkibf.exe 1356 Kfmjgeaj.exe 2556 Kjifhc32.exe 2080 Kmgbdo32.exe 556 Kofopj32.exe 3040 Kbdklf32.exe 2312 Kebgia32.exe 2652 Kincipnk.exe 1580 Kklpekno.exe 592 Knklagmb.exe 936 Kbfhbeek.exe 2220 Keednado.exe 2664 Kgcpjmcb.exe 1804 Kkolkk32.exe 1076 Kpjhkjde.exe 3008 Kaldcb32.exe 2028 Kegqdqbl.exe 2964 Kgemplap.exe 2500 Kkaiqk32.exe 2344 Kbkameaf.exe 2252 Lanaiahq.exe 1564 Lghjel32.exe -
Loads dropped DLL 64 IoCs
pid Process 2704 34f400840f86be8fb8c2f1ac013a5270N.exe 2704 34f400840f86be8fb8c2f1ac013a5270N.exe 2804 Ginnnooi.exe 2804 Ginnnooi.exe 2868 Hpgfki32.exe 2868 Hpgfki32.exe 2620 Hojgfemq.exe 2620 Hojgfemq.exe 2592 Hipkdnmf.exe 2592 Hipkdnmf.exe 2160 Hakphqja.exe 2160 Hakphqja.exe 576 Hkcdafqb.exe 576 Hkcdafqb.exe 964 Hanlnp32.exe 964 Hanlnp32.exe 2280 Heihnoph.exe 2280 Heihnoph.exe 2908 Hkfagfop.exe 2908 Hkfagfop.exe 1716 Hhjapjmi.exe 1716 Hhjapjmi.exe 772 Hkhnle32.exe 772 Hkhnle32.exe 672 Hdqbekcm.exe 672 Hdqbekcm.exe 1800 Igonafba.exe 1800 Igonafba.exe 2268 Icfofg32.exe 2268 Icfofg32.exe 2336 Iipgcaob.exe 2336 Iipgcaob.exe 2164 Iompkh32.exe 2164 Iompkh32.exe 2444 Igchlf32.exe 2444 Igchlf32.exe 1864 Ipllekdl.exe 1864 Ipllekdl.exe 1360 Iamimc32.exe 1360 Iamimc32.exe 1536 Ijdqna32.exe 1536 Ijdqna32.exe 700 Ihgainbg.exe 700 Ihgainbg.exe 3056 Iapebchh.exe 3056 Iapebchh.exe 2092 Idnaoohk.exe 2092 Idnaoohk.exe 892 Ileiplhn.exe 892 Ileiplhn.exe 1736 Jocflgga.exe 1736 Jocflgga.exe 2612 Jabbhcfe.exe 2612 Jabbhcfe.exe 2716 Jgojpjem.exe 2716 Jgojpjem.exe 3028 Jnicmdli.exe 3028 Jnicmdli.exe 800 Jqgoiokm.exe 800 Jqgoiokm.exe 1492 Jkmcfhkc.exe 1492 Jkmcfhkc.exe 2284 Jqilooij.exe 2284 Jqilooij.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hebpjd32.dll Jghmfhmb.exe File created C:\Windows\SysWOW64\Aaheie32.exe Abeemhkh.exe File created C:\Windows\SysWOW64\Nlcnda32.exe Niebhf32.exe File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe Niebhf32.exe File opened for modification C:\Windows\SysWOW64\Nmbknddp.exe Ngibaj32.exe File created C:\Windows\SysWOW64\Heihnoph.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Fpcqjacl.dll Kfmjgeaj.exe File created C:\Windows\SysWOW64\Lfpclh32.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Modkfi32.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Nkbalifo.exe Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Oaiibg32.exe Ocfigjlp.exe File opened for modification C:\Windows\SysWOW64\Qeohnd32.exe Qflhbhgg.exe File opened for modification C:\Windows\SysWOW64\Bbikgk32.exe Bonoflae.exe File opened for modification C:\Windows\SysWOW64\Bkglameg.exe Bfkpqn32.exe File opened for modification C:\Windows\SysWOW64\Kgemplap.exe Kegqdqbl.exe File created C:\Windows\SysWOW64\Allepo32.dll Kegqdqbl.exe File opened for modification C:\Windows\SysWOW64\Modkfi32.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Mabgcd32.exe Modkfi32.exe File created C:\Windows\SysWOW64\Poapfn32.exe Pkfceo32.exe File created C:\Windows\SysWOW64\Mbkbki32.dll Ackkppma.exe File created C:\Windows\SysWOW64\Ennlme32.dll Bpfeppop.exe File created C:\Windows\SysWOW64\Mabanhgg.dll Cdoajb32.exe File opened for modification C:\Windows\SysWOW64\Ileiplhn.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Ndhipoob.exe Naimccpo.exe File created C:\Windows\SysWOW64\Odhfob32.exe Oaiibg32.exe File created C:\Windows\SysWOW64\Oegbheiq.exe Oalfhf32.exe File created C:\Windows\SysWOW64\Qjnmlk32.exe Qkkmqnck.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Boplllob.exe File opened for modification C:\Windows\SysWOW64\Kegqdqbl.exe Kaldcb32.exe File created C:\Windows\SysWOW64\Ngkogj32.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Odeiibdq.exe Oebimf32.exe File opened for modification C:\Windows\SysWOW64\Qngmgjeb.exe Qkhpkoen.exe File opened for modification C:\Windows\SysWOW64\Qiladcdh.exe Qqeicede.exe File created C:\Windows\SysWOW64\Aipheffp.dll Pihgic32.exe File created C:\Windows\SysWOW64\Jgojpjem.exe Jabbhcfe.exe File created C:\Windows\SysWOW64\Llcefjgf.exe Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Aaapnkij.dll Oegbheiq.exe File created C:\Windows\SysWOW64\Imogmg32.dll Pkdgpo32.exe File created C:\Windows\SysWOW64\Hkhfgj32.dll Akmjfn32.exe File created C:\Windows\SysWOW64\Cjnolikh.dll Bejdiffp.exe File created C:\Windows\SysWOW64\Iamimc32.exe Ipllekdl.exe File created C:\Windows\SysWOW64\Gabqfggi.dll Lmgocb32.exe File opened for modification C:\Windows\SysWOW64\Llohjo32.exe Liplnc32.exe File created C:\Windows\SysWOW64\Bfenfipk.dll Nadpgggp.exe File created C:\Windows\SysWOW64\Icmqhn32.dll Qjnmlk32.exe File created C:\Windows\SysWOW64\Lmebnb32.exe Ljffag32.exe File created C:\Windows\SysWOW64\Maedhd32.exe Mofglh32.exe File opened for modification C:\Windows\SysWOW64\Qflhbhgg.exe Qbplbi32.exe File opened for modification C:\Windows\SysWOW64\Qbbhgi32.exe Qngmgjeb.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Nhaikn32.exe File created C:\Windows\SysWOW64\Ipgljgoi.dll Pcdipnqn.exe File created C:\Windows\SysWOW64\Eoqbnm32.dll Bbgnak32.exe File opened for modification C:\Windows\SysWOW64\Pkfceo32.exe Pihgic32.exe File opened for modification C:\Windows\SysWOW64\Akmjfn32.exe Acfaeq32.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Hkhnle32.exe Hhjapjmi.exe File created C:\Windows\SysWOW64\Ijdqna32.exe Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Kkolkk32.exe Kgcpjmcb.exe File opened for modification C:\Windows\SysWOW64\Lpekon32.exe Lmgocb32.exe File created C:\Windows\SysWOW64\Aceobl32.dll Pokieo32.exe File created C:\Windows\SysWOW64\Oimbjlde.dll Bkglameg.exe File created C:\Windows\SysWOW64\Igciil32.dll Pomfkndo.exe File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe Aaheie32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3544 3480 WerFault.exe 283 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgcaob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjifhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmjgeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljffag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kincipnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollajp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpekon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llohjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibebfpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfeppop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leljop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackkppma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcbenjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckjkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdipnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmefooki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhkjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beejng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iompkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnicmdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmffhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meijhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopfakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkidlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflhbhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqeicede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjqcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgojpjem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlekia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimnfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcagpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjfoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmebnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onecbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmclhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqbekcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libicbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlaeonld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbplbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaolidlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkdakjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcdafqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mooaljkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaloddnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejdiffp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Linphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffimglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abeemhkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abphal32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgefl32.dll" Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kofopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqjfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll" Pjpnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poocpnbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hojgfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihgainbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mooaljkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akmjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knklagmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agdjkogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" Pjnamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll" Pbkbgjcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hipkdnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" Mabgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkmhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocalkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnag32.dll" Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll" Libicbma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odhfob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 34f400840f86be8fb8c2f1ac013a5270N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlaeonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbmjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll" Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplhdp32.dll" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kofopj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2804 2704 34f400840f86be8fb8c2f1ac013a5270N.exe 30 PID 2704 wrote to memory of 2804 2704 34f400840f86be8fb8c2f1ac013a5270N.exe 30 PID 2704 wrote to memory of 2804 2704 34f400840f86be8fb8c2f1ac013a5270N.exe 30 PID 2704 wrote to memory of 2804 2704 34f400840f86be8fb8c2f1ac013a5270N.exe 30 PID 2804 wrote to memory of 2868 2804 Ginnnooi.exe 31 PID 2804 wrote to memory of 2868 2804 Ginnnooi.exe 31 PID 2804 wrote to memory of 2868 2804 Ginnnooi.exe 31 PID 2804 wrote to memory of 2868 2804 Ginnnooi.exe 31 PID 2868 wrote to memory of 2620 2868 Hpgfki32.exe 32 PID 2868 wrote to memory of 2620 2868 Hpgfki32.exe 32 PID 2868 wrote to memory of 2620 2868 Hpgfki32.exe 32 PID 2868 wrote to memory of 2620 2868 Hpgfki32.exe 32 PID 2620 wrote to memory of 2592 2620 Hojgfemq.exe 33 PID 2620 wrote to memory of 2592 2620 Hojgfemq.exe 33 PID 2620 wrote to memory of 2592 2620 Hojgfemq.exe 33 PID 2620 wrote to memory of 2592 2620 Hojgfemq.exe 33 PID 2592 wrote to memory of 2160 2592 Hipkdnmf.exe 34 PID 2592 wrote to memory of 2160 2592 Hipkdnmf.exe 34 PID 2592 wrote to memory of 2160 2592 Hipkdnmf.exe 34 PID 2592 wrote to memory of 2160 2592 Hipkdnmf.exe 34 PID 2160 wrote to memory of 576 2160 Hakphqja.exe 35 PID 2160 wrote to memory of 576 2160 Hakphqja.exe 35 PID 2160 wrote to memory of 576 2160 Hakphqja.exe 35 PID 2160 wrote to memory of 576 2160 Hakphqja.exe 35 PID 576 wrote to memory of 964 576 Hkcdafqb.exe 36 PID 576 wrote to memory of 964 576 Hkcdafqb.exe 36 PID 576 wrote to memory of 964 576 Hkcdafqb.exe 36 PID 576 wrote to memory of 964 576 Hkcdafqb.exe 36 PID 964 wrote to memory of 2280 964 Hanlnp32.exe 37 PID 964 wrote to memory of 2280 964 Hanlnp32.exe 37 PID 964 wrote to memory of 2280 964 Hanlnp32.exe 37 PID 964 wrote to memory of 2280 964 Hanlnp32.exe 37 PID 2280 wrote to memory of 2908 2280 Heihnoph.exe 38 PID 2280 wrote to memory of 2908 2280 Heihnoph.exe 38 PID 2280 wrote to memory of 2908 2280 Heihnoph.exe 38 PID 2280 wrote to memory of 2908 2280 Heihnoph.exe 38 PID 2908 wrote to memory of 1716 2908 Hkfagfop.exe 39 PID 2908 wrote to memory of 1716 2908 Hkfagfop.exe 39 PID 2908 wrote to memory of 1716 2908 Hkfagfop.exe 39 PID 2908 wrote to memory of 1716 2908 Hkfagfop.exe 39 PID 1716 wrote to memory of 772 1716 Hhjapjmi.exe 40 PID 1716 wrote to memory of 772 1716 Hhjapjmi.exe 40 PID 1716 wrote to memory of 772 1716 Hhjapjmi.exe 40 PID 1716 wrote to memory of 772 1716 Hhjapjmi.exe 40 PID 772 wrote to memory of 672 772 Hkhnle32.exe 41 PID 772 wrote to memory of 672 772 Hkhnle32.exe 41 PID 772 wrote to memory of 672 772 Hkhnle32.exe 41 PID 772 wrote to memory of 672 772 Hkhnle32.exe 41 PID 672 wrote to memory of 1800 672 Hdqbekcm.exe 42 PID 672 wrote to memory of 1800 672 Hdqbekcm.exe 42 PID 672 wrote to memory of 1800 672 Hdqbekcm.exe 42 PID 672 wrote to memory of 1800 672 Hdqbekcm.exe 42 PID 1800 wrote to memory of 2268 1800 Igonafba.exe 43 PID 1800 wrote to memory of 2268 1800 Igonafba.exe 43 PID 1800 wrote to memory of 2268 1800 Igonafba.exe 43 PID 1800 wrote to memory of 2268 1800 Igonafba.exe 43 PID 2268 wrote to memory of 2336 2268 Icfofg32.exe 44 PID 2268 wrote to memory of 2336 2268 Icfofg32.exe 44 PID 2268 wrote to memory of 2336 2268 Icfofg32.exe 44 PID 2268 wrote to memory of 2336 2268 Icfofg32.exe 44 PID 2336 wrote to memory of 2164 2336 Iipgcaob.exe 45 PID 2336 wrote to memory of 2164 2336 Iipgcaob.exe 45 PID 2336 wrote to memory of 2164 2336 Iipgcaob.exe 45 PID 2336 wrote to memory of 2164 2336 Iipgcaob.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\34f400840f86be8fb8c2f1ac013a5270N.exe"C:\Users\Admin\AppData\Local\Temp\34f400840f86be8fb8c2f1ac013a5270N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe35⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe36⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe38⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe40⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe41⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe43⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe47⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe52⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe54⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe55⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe57⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe63⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe64⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe70⤵PID:1720
-
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe71⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe76⤵PID:1440
-
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe78⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe79⤵PID:2032
-
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe80⤵PID:2176
-
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe81⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe82⤵
- Drops file in System32 directory
PID:648 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe84⤵PID:2376
-
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe85⤵PID:916
-
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe91⤵PID:2040
-
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe92⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe93⤵PID:1952
-
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe94⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe96⤵PID:1708
-
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe99⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe101⤵PID:2820
-
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe103⤵PID:1700
-
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe104⤵PID:2132
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe105⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe106⤵PID:2912
-
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe108⤵PID:1672
-
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe109⤵
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe111⤵PID:2932
-
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe114⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe117⤵PID:2892
-
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe118⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe119⤵PID:840
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe120⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe121⤵
- Modifies registry class
PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-